SQL Injection Vulnerability in Zechat by Bylancer
CVE-2018-25382

8.8HIGH

Key Information:

Vendor

Bylancer

Status
Zechat
Vendor
CVE Published:
29 May 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2018-25382?

Zechat 1.5 is vulnerable to SQL injection, enabling unauthenticated attackers to manipulate the database via the uname parameter. By crafting specific requests to the profile.php endpoint, attackers can execute UNION-based SQL injection payloads that may reveal sensitive information, including table and column names, as well as user data from the information_schema database. This oversight represents a significant security risk to any implementation of Zechat 1.5, as it allows for unauthorized access to potentially sensitive data.

Affected Version(s)

Zechat 1.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-25382 - Proof of Concept

References

https://www.exploit-db.com/exploits/45523
exploit
https://bylancer.com/
product
https://bylancer.com/products/zechat-php-script/index.php
product

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ihsan Sencan
.